Skip to content

Commit 5000b23

Browse files
cbodleycbodley
authored
Merge pull request ceph#59169 from cbodley/wip-67464
rgw: revert account-related changes to get_iam_policy_from_attr() Reviewed-by: Pritha Srivastava <[email protected]>
2 parents 3a1e305 + f38429b commit 5000b23

File tree

2 files changed

+13
-13
lines changed

2 files changed

+13
-13
lines changed

qa/tasks/s3tests.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,8 @@ def _config_user(s3tests_conf, section, user, email):
8989
s3tests_conf[section].setdefault('totp_seed',
9090
base64.b32encode(os.urandom(40)).decode())
9191
s3tests_conf[section].setdefault('totp_seconds', '5')
92+
if section == 's3 tenant':
93+
s3tests_conf[section].setdefault('tenant', 'testx')
9294

9395

9496
@contextlib.contextmanager

src/rgw/rgw_op.cc

Lines changed: 11 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -333,13 +333,11 @@ static int get_obj_policy_from_attr(const DoutPrefixProvider *dpp,
333333

334334
static boost::optional<Policy>
335335
get_iam_policy_from_attr(CephContext* cct,
336-
const map<string, bufferlist>& attrs)
336+
const map<string, bufferlist>& attrs,
337+
const string& tenant)
337338
{
338339
if (auto i = attrs.find(RGW_ATTR_IAM_POLICY); i != attrs.end()) {
339-
// resource policy is not restricted to the current tenant
340-
const std::string* policy_tenant = nullptr;
341-
342-
return Policy(cct, policy_tenant, i->second.to_str(), false);
340+
return Policy(cct, &tenant, i->second.to_str(), false);
343341
} else {
344342
return none;
345343
}
@@ -424,7 +422,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp,
424422
mpobj->set_in_extra_data(true);
425423
object = mpobj.get();
426424
}
427-
policy = get_iam_policy_from_attr(s->cct, bucket_attrs);
425+
policy = get_iam_policy_from_attr(s->cct, bucket_attrs, s->bucket_tenant);
428426

429427
int ret = get_obj_policy_from_attr(dpp, s->cct, driver, s->bucket_owner,
430428
acl, storage_class, object, s->yield);
@@ -602,7 +600,7 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
602600
}
603601

604602
try {
605-
s->iam_policy = get_iam_policy_from_attr(s->cct, s->bucket_attrs);
603+
s->iam_policy = get_iam_policy_from_attr(s->cct, s->bucket_attrs, s->bucket_tenant);
606604
} catch (const std::exception& e) {
607605
ldpp_dout(dpp, 0) << "Error reading IAM Policy: " << e.what() << dendl;
608606

@@ -1971,7 +1969,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y)
19711969
ldpp_dout(this, 0) << "failed to read bucket policy" << dendl;
19721970
return r;
19731971
}
1974-
_bucket_policy = get_iam_policy_from_attr(s->cct, bucket_attrs);
1972+
_bucket_policy = get_iam_policy_from_attr(s->cct, bucket_attrs, auth_tenant);
19751973
bucket_policy = &_bucket_policy;
19761974
pbucket = ubucket.get();
19771975
} else {
@@ -2106,7 +2104,7 @@ int RGWGetObj::handle_slo_manifest(bufferlist& bl, optional_yield y)
21062104
return r;
21072105
}
21082106
auto _bucket_policy = get_iam_policy_from_attr(
2109-
s->cct, tmp_bucket->get_attrs());
2107+
s->cct, tmp_bucket->get_attrs(), auth_tenant);
21102108
bucket_policy = _bucket_policy.get_ptr();
21112109
buckets[bucket_name].swap(tmp_bucket);
21122110
policies[bucket_name] = make_pair(bucket_acl, _bucket_policy);
@@ -5553,7 +5551,7 @@ int RGWCopyObj::verify_permission(optional_yield y)
55535551
if (op_ret < 0) {
55545552
return op_ret;
55555553
}
5556-
auto dest_iam_policy = get_iam_policy_from_attr(s->cct, s->bucket->get_attrs());
5554+
auto dest_iam_policy = get_iam_policy_from_attr(s->cct, s->bucket->get_attrs(), s->bucket_tenant);
55575555

55585556
//Add destination bucket tags for authorization
55595557
auto [has_s3_existing_tag, has_s3_resource_tag] = rgw_check_policy_condition(this, dest_iam_policy, s->iam_identity_policies, s->session_policies);
@@ -7196,7 +7194,7 @@ bool RGWBulkDelete::Deleter::verify_permission(RGWBucketInfo& binfo,
71967194
return false;
71977195
}
71987196

7199-
auto policy = get_iam_policy_from_attr(s->cct, battrs);
7197+
auto policy = get_iam_policy_from_attr(s->cct, battrs, binfo.bucket.tenant);
72007198

72017199
bucket_owner = bacl.get_owner();
72027200

@@ -7536,7 +7534,7 @@ bool RGWBulkUploadOp::handle_file_verify_permission(RGWBucketInfo& binfo,
75367534
return false;
75377535
}
75387536

7539-
auto policy = get_iam_policy_from_attr(s->cct, battrs);
7537+
auto policy = get_iam_policy_from_attr(s->cct, battrs, binfo.bucket.tenant);
75407538

75417539
return verify_bucket_permission(this, s, ARN(obj), s->user_acl, bacl, policy,
75427540
s->iam_identity_policies, s->session_policies,
@@ -8180,7 +8178,7 @@ void RGWPutBucketPolicy::execute(optional_yield y)
81808178

81818179
try {
81828180
const Policy p(
8183-
s->cct, nullptr, data.to_str(),
8181+
s->cct, &s->bucket_tenant, data.to_str(),
81848182
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
81858183
rgw::sal::Attrs attrs(s->bucket_attrs);
81868184
if (s->bucket_access_conf &&

0 commit comments

Comments
 (0)